Despite March deadline, 72% of gov.uk domains haven’t set up DMARC yet

March 28, 2019

Even though the government is scheduled to retire its two-decades-old Government Secure Intranet (GSI) platform by the end of this month, only 28% of gov.uk domains have enabled Domain-based Message Authentication, Reporting and Conformance (DMARC) so far, a new report has revealed.

In June 2017, the National Cyber Security Centre introduced four new technologies- Web Check, DMARC, Public Sector DNS and a takedown service as part of its Active Cyber Defence programme. These technologies were offered for free to help public institutions defend against sophisticated phishing attacks and to stop public sector systems veering onto malicious servers.

When launching the new technology, NCSC said that DMARC (Domain-based Message Authentication, Reporting and Conformance) would help authenticate an organisation’s communications as genuine by blocking malicious or fraudulent emails that spoof email addresses operated by government departments. During a test run prior to its launch, DMARC helped block over 300 million malicious or fraudulent emails that spoofed HMRC email addresses to defraud citizens.

Majority of gov.uk domains yet to set up DMARC

Encouraged by its success, the government directed all central government organisations to implement encryption and authentication in line with the Minimum Cyber Security Standard by the end of March. The standard included the implementation of Transport Layer Security Version 1.2 for sending and receiving email securely, the implementation of DMARC, as well as of spam and malware filtering technologies.

Even though the deadline for the retirement of the two-decades-old Government Secure Intranet (GSI) platform and adoption of the Minimum Cyber Security Standard by central government organisations is merely days away, a report from security firm Egress has revealed that so far, only 28% of gov.uk domains have been proactive in setting up DMARC appropriately.

If DMARC is not implemented by government organisations by the end of this month, their mailboxes will receive large numbers of malicious or fraudulent emails that spoof genuine organisations and the chances of employees falling for phishing tactics will also remain large.

"It’s quite startling to see that so many public sector organisations have not yet enabled DMARC effectively and therefore cannot provide full assurance over their email network’s ability to withstand phishing attacks. With only one month left before the GSI framework is retired, it’s critical that organisations heed the advice laid out by GDS [Government Digital Service]," said Neil Larkins, CTO of Egress.

According to the firm, lack of implementation of DMARC would seriously impact an organisations's email network’s ability to withstand phishing attacks and will make it difficult for such organisations to filter out malicious and spam emails from their employees' inboxes.

Most DMARC policies set to 'do nothing'

After analysing more than 2,000 gov.uk email domains, Egress also found that of those organisations that have set up DMARC themselves, over half of them have configured the service policy to 'do nothing' which means that even though the technology is there, spam and phishing messages are still going straight into the recipient’s inbox, regardless of whether the message has been sent from a trusted sender or not.

This leaves a very small number of central government organisations who have set up DMARC in their email networks and have configured the technology appropriately to filter out large numbers of spam and malicious emails.

"This sobering statistic might look shocking, but the reality is that this proportion of gov.uk domains using DMARC is in line with the rest of the UK," said Steve Malone, director of security product management at Mimecast.

"DMARC is an important tool to actively protect against the rising tide of impersonation attacks. These attacks are increasingly sophisticated, with dangerous domain lookalike attacks now using international character sets that can be impossible to detect with the naked eye.

"DMARC protects employees from falling victim to such tactics and ensures organisations can better defend the domains under their control. DMARC can build stronger herd immunity in the UK, but only if organisations prioritise implementation," he added.

About The Author

Jay Jay is a freelance technology writer for teiss. He has previously written news articles, device reviews and features for Mobile Choice UK website and magazine, as well as writing extensively for SC Magazine UK, Tech Radar, Indian Express, and Android Headlines.

Morgan Jay, Area Vice President EMEA at Imperva, explores the importance of performing holistic assessments of possible threats and assessing where these threats line up with your current security vulnerabilities. …